[olug] restricting ports on SSH forwarding
Trent Melcher
trentm at trackd.run
Fri May 29 12:39:11 CDT 2020
You want to make it even more secure, look up ssh port knocking. :)
On Fri, May 29, 2020, 4:43 AM Lou Duchez <lou at paprikash.com> wrote:
> Update, it turns out it was pretty easy to do, once I'd opted for
> OpenSSH instead of freeSSHd. I found the sshd_config file and added
> these parameters to the main body of options:
>
> PermitTTY no
> PermitOpen 127.0.0.1:3389
> #Subsystem sftp sftp-server.exe
>
> That last one was commenting out the line that by default allowed SFTP
> access. My goal here is to allow tunneling just to port 3389 (i.e.,
> RDP) and not even allow any shell access, and those three lines do the
> trick. Now if a person wants to hack the system, they need to figure
> out which port I've moved SSH to, guess the non-root login and password
> I've set up, THEN figure out which port I've moved RDP to and guess the
> appropriate login and password for that. Yeah, I'm going to call that
> pretty secure.
>
>
>
> On 5/28/2020 10:52 PM, Lou Duchez wrote:
> > I am on Team Linux as much as possible myself, but we do have a few
> > servers that do WIndows. Some run ASP.Net applications (and as good
> > as Mono is, it's still less stable than genuine .Net). And we have,
> > on the cloud, some virtual PCs that we use for development or running
> > other Windows utilities; accessing them securely is a big deal.
> >
> >
> >
> > On 5/28/2020 10:16 PM, Reiners Cloud Consulting LLC wrote:
> >> Absolutely, I'd recommend replacing with openSSHd myself, but I'm team
> >> Linux for everything whenever possible. Should work fine, and follow all
> >> standards as close as possible.
> >>
> >> I've never installed it on windows before myself, but I can't see why it
> >> wouldn't work.
> >>
> >>
> >>
> >> On Thu, May 28, 2020, 8:39 PM Lou Duchez <lou at paprikash.com> wrote:
> >>
> >>> Thanks for the pointer; alas it's specific to OpenSSH. Perhaps I need
> >>> to install Win32-OpenSSH, which will hopefully include the
> >>> authorized_keys functionality.
> >>>
> >>> I went with freeSSHd because it installed easily and smoothly, and
> >>> seemed to work well for the most part. That's when it dawned on me
> >>> that
> >>> port forwarding comes with a BIG security risk ...
> >>>
> >>>
> >>> On 5/28/2020 8:22 PM, Reiners Cloud Consulting LLC wrote:
> >>>> I realize it's windows based ssh but maybe it has some similar
> >>>> flags to
> >>> get
> >>>> you in pointed in the right direction.
> >>>>
> >>>> On Thu, May 28, 2020, 7:19 PM Justin Reiners <justin at hotlinesinc.com>
> >>> wrote:
> >>>>> Here's a good write-up on restricting access, hope it helps
> >>>>>
> >>>>>
> >>>>>
> >>>
> https://blog.tinned-software.net/restrict-ssh-access-to-port-forwarding-to-one-specific-port/
> >>>
> >>>>> On Thu, May 28, 2020, 6:41 PM Lou Duchez <lou at paprikash.com> wrote:
> >>>>>
> >>>>>> So SSH forwarding is a dandy way to get data to travel back and
> >>>>>> forth
> >>>>>> over a secure encrypted connection. The only problem I'm aware
> >>>>>> of is,
> >>>>>> if I open up SSH port forwarding on my server to allow access to
> >>>>>> port
> >>>>>> 11111, there's nothing stopping a user from using the same SSH
> >>>>>> connection get at port 22222.
> >>>>>>
> >>>>>> ... or is there? Any thoughts on how to limit the port
> >>>>>> forwarding on
> >>> an
> >>>>>> SSH connection? In particular I'm using freeSSHd on a Windows
> >>>>>> server,
> >>>>>> so if anyone knows anything about that, that would help.
> >>>>>> _______________________________________________
> >>>>>> OLUG mailing list
> >>>>>> OLUG at olug.org
> >>>>>> https://www.olug.org/mailman/listinfo/olug
> >>>>>>
> >>>>> _______________________________________________
> >>>>> OLUG mailing list
> >>>>> OLUG at olug.org
> >>>>> https://www.olug.org/mailman/listinfo/olug
> >>>>>
> >>>> _______________________________________________
> >>>> OLUG mailing list
> >>>> OLUG at olug.org
> >>>> https://www.olug.org/mailman/listinfo/olug
> >>> _______________________________________________
> >>> OLUG mailing list
> >>> OLUG at olug.org
> >>> https://www.olug.org/mailman/listinfo/olug
> >>>
> >> _______________________________________________
> >> OLUG mailing list
> >> OLUG at olug.org
> >> https://www.olug.org/mailman/listinfo/olug
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://www.olug.org/mailman/listinfo/olug
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug
>
More information about the OLUG
mailing list